Connecting SEAL Elastic Stack to an OIDC Provider

---

1. In order that OIDC works correctly, the Java that runs Elasticsearch has to trust the identity provider's certificate. Otherwise you have to import the CA certificate into Java's cacerts truststore:

   sudo /opt/seal/seal-elasticsearch/jdk/bin/keytool -importcert -noprompt -trustcacerts -alias CustomerCA -file "ca.pem" -keystore cacerts -storepass changeit
   

2. In the Elasticsearch internal keystore, add the client secret for Elasticsearch:

   sudo -u seal ES_PATH_CONF=/opt/seal/etc/seal-elasticsearch /opt/seal/seal-elasticsearch/bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret
   The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
   Enter value for xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret:
   

3. Add the following lines to /opt/seal/etc/seal-elasticsearch/elasticsearch.yml, example is Azure AD:

   node.name: <fqdn>
   network.host: 0.0.0.0
   discovery.type: single-node
   xpack.security.enabled: true
   xpack.security.authc.token.enabled: true
   xpack:
     security:
       authc:
         realms:
           native:
             native1:
               order: 0
           oidc:
             some-oidc:
               order: 2
               rp.client_id: "<client-id>"
               rp.response_type: code
               rp.redirect_uri: "https://<kibana-uri>:5601/api/security/v1/oidc"
               op.issuer: "https://login.microsoftonline.com/.../v2.0"
               op.authorization_endpoint: "https://login.microsoftonline.com/.../oauth2/ v2.0/authorize"
               op.token_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/ token"
               op.jwkset_path: "https://login.microsoftonline.com/.../discovery/v2.0/keys"
               op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
               op.endsession_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/logout"
               rp.post_logout_redirect_uri: "https://<kibana-uri>:5601/logged_out"
               rp.requested_scopes: ["openid", "email", "profile"]
               claims.principal: preferred_username
               claims.name: name
               claims.groups: roles
   

   The native realm in the above example is not required for a pure OIDC setup. This realm is needed to create internal users in Kibana.

4. Add the following lines to /opt/seal/etc/kibana.yml:

   xpack.security.authProviders: [oidc, basic]
   xpack.security.authc.oidc.realm: "some-oidc"
   server.xsrf.whitelist: [/api/security/v1/oidc]
   

---